Charles Bueche wrote:
On the other side, what do you mean with "define a module that registers a dummy matching rule with that OID" ? Is this a module like back_meta, rwn and friends ? Do you have any pointer like a dummy module to show where to begin ?
As you see, I'm pretty much at the beginning of the learning curve and I am very happy to get your help.
Regards, Charles
ok, it did cost me a lot of brain power, but I do have a workaround. I mention it here because I'm quite sure someone else will hit the same problem one day.
- the recursive search filter passed to the proxy should use a filter
supported by the proxy, eg
filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)'
the proxy gasp it, accept it, and pass it to the rewrite module
use a rewrite rule to massage the filter:
rewriteRule "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch" "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch" ":"
back_meta then pass the rewritten filter to the back-end AD.
Nice work.
To the developers: as mentioned by Pierangelo above, it should be possible to disable the filter sanity check when it is passed to a LDAP back-end. If the filter is insane, the back-end will complain soon enough.
That will never be done. The docs clearly state that when operating as a proxy, slapd must have schema definitions for anything passing through it. Many sites use OpenLDAP as a frontend proxy specifically because these sanity checks protect their backend servers (that are from other vendors and more fragile).
Pierangelo already gave the right answer here - write a piece of C code that registers OIDs for the matching rules you want and load it as a dynamic module. There are many modules in contrib/slapd-modules in the source tree.
Thanks for writing this great software ! Charles